Configure Java 2 security policy files:

Configure Java 2 security policy files

Java 2 security uses several policy files to determine the granted permissions for each Java programs. See the Dynamic policy article for the list of available policy files supported by WebSphere Application Server Version.
There are two types of policy files supported by WebSphere Application Server: dynamic policy files and static policy files. Static policy files provide the default permissions. Dynamic policy files provide application permissions. There are six dynamic policy files:

Policy file Description
app.policy file Contains default permissions for all of the enterprise applications in the cell.
was.policy file Contains application-specific permissions for an WebSphere Application Server enterprise application. This file is packaged in an enterprise archive file.
ra.xml file Contains connector application specific permissions for a WebSphere Application Server enterprise application. This file is packaged in a resource adapter archive (RAR) file.
spi.policy file Contains permissions for Service Provider Interface (SPI) or third-party resources embedded in WebSphere Application Server. The default contents grant everything. Update this file carefully when the cell requires more protection against SPI in the cell. This file is applied to all of the SPIs defined in the resources.xml file.
library.policy file Contains permissions for the shared library of enterprise applications.
filter.policy file Contains the list of permissions that require filtering from the was.policy file and the app.policy file in the cell. This filtering mechanism only applies to the was.policy and app.policy files.

Identify the policy file to update.

If the permission is required by an application, update the static policy file. Refer to Configure static policy files.

If the permission is required by all of the WebSphere Application Server enterprise applications in the node,refer to Configure spi.policy files.

If the permission is required only by specific WebSphere Application Server enterprise applications and the permission is required only by connector,update the ra.xml file. Refer to Assembling Resource adapter modules. Otherwise update the was.policy file. Refer to Configure was.policy files and Adding the was.policy file to applications.

If the permission is required by shared libraries, refer to Configure library.policy files.

If the permission is required by SPI libraries, refer to Configure spi.policy files.

Note: It is recommended to pick up the policy file with the smallest scope. One can avoid giving an extra permission to the Java programs and protect the resources. One can update the ra.xml file or the was.policy file rather than the app.policy file. Use specific component symbols ($(ejbcomponent), ${webComponent},${connectorComponent} and ${jars}) than ${application} symbols. Update dynamic policy files than static policy files.
Add any permission that should never be granted to the WebSphere Application Server enterprise application in the cell to the filter.policy file. Refer to Configure filter.policy files.
Restart the WebSphere Application Server enterprise application.

Results
The required permission is granted for the specified WebSphere Application Server enterprise application.

Usage scenario
If an WebSphere Application Server enterprise application in a cell requires permissions, some of the dynamic policy files need updating. The symptom of the missing permission is the exception, java.security.AccessControlException. The missing permission is listed in the exception data, for example,
 java.security.AccessControlException: access denied  java.io.FilePermission(C:\WebSphere\AppServer\java\jre\lib\ext\mail.jar read) 
When a Java program receives this exception and adding this permission is justified, add a permission to an adequate dynamic policy file, for example,
 grant codeBase "file:<user client installed location>" { permission java.io.FilePermission "C:\WebSphere\AppServer\java\jre\lib\ext\mail.jar", "read";
}; 
To decide whether to add a permission, refer to the article AccessControlException.
Java 2 security policy files
AccessControlException
Configure static policy files
Java 2 security

WebSphere is a trademark of the IBM Corporation in the United States, other countries, or both.

IBM is a trademark of the IBM Corporation in the United States, other countries, or both.

Policy file	Description
app.policy file	Contains default permissions for all of the enterprise applications in the cell.
was.policy file	Contains application-specific permissions for an WebSphere Application Server enterprise application. This file is packaged in an enterprise archive file.
ra.xml file	Contains connector application specific permissions for a WebSphere Application Server enterprise application. This file is packaged in a resource adapter archive (RAR) file.
spi.policy file	Contains permissions for Service Provider Interface (SPI) or third-party resources embedded in WebSphere Application Server. The default contents grant everything. Update this file carefully when the cell requires more protection against SPI in the cell. This file is applied to all of the SPIs defined in the resources.xml file.
library.policy file	Contains permissions for the shared library of enterprise applications.
filter.policy file	Contains the list of permissions that require filtering from the was.policy file and the app.policy file in the cell. This filtering mechanism only applies to the was.policy and app.policy files.